Microsoft SharePoint Most Valuable
Professional (2011,2012)
Author, Writer, Trainer & Public Speaker
Founder & Editor in Chief of SharePointVN
Publisher
Focus on Microsoft Security & Federation
Identity, Infrastructure, Methodologies and
Architecture.
Data Compliance
Understand the new Dynamic Access Control
capabilities built into Windows Server 2012
Compliance is generally a response to governmental regulation, but
it can also be a response to industry or
internal requirements
.
The U.S. Health Insurance Portability and Accountability Act
(HIPPA) for health providers
Sarbanes-Oxley Act (SOX)
The European Union Data Protection Directive
U.S. state data breach laws
I’m not talking about in-depth Data compliance
and privacy.
Can you make sure that only authorized individuals can access confidential data?
Do you have granular control over auditing access?
How to reduce the number of security groups your organization has?
Deal with regulatory standard?
…. There are many questions come up when it comes to data access control.
CSO/CIO department “
I need to have
the right
compliance
controls to keep
me out of jail
” Infrastructure Support “I don’t know
what data is in my
repositories and
how to control it
” Content Owner ““Is my important
data
appropriately
protected and
compliant with
regulations – how
do I audit this”
Information Workder“I don’t know if I
am complying
with my
organization’s
Storage growth
Distributed
Information
Regulatory
compliance
Data leakage
45%: File based storage
CAGR.
MSIT cost $1.6
GB/Month for managed servers.
>70%: of stored data is
stale
Cloud cost would be
approximately 25 cents GB/Month
Corporate information is
everywhere: Desktops, Branch Offices, Data Centers, Cloud…
MSIT 1500 file servers
with 110 different groups managing them
Very hard to consistently
manage the information.
New and changing
regulations (SOX, HIPPA, GLBA…)
International and local
regulations.
More oversight and
tighter enforcement.
$15M: Settlement for
investment bank with SEC over record
retention. 246,091,423: Total number of records containing sensitive personal information involved in security
breaches in the US since January 2005
$90 to $305 per record
(Forrester: in “Calculating the Cost of a Security Breach”)
Encryption
Automatic RMS
encryption based on document classification.
Data Classification
Classify your documents
using resource properties stored in Active Directory. Automatically classify documents based on document content.
Expression-based
auditing
Targeted access auditing
based on document classification and user identity.
Centralized deployment
of audit policies using Global Audit Policies.
Expression-based
access conditions
Flexible access control
lists based on document classification and
multiple identities (security groups).
Centralized access
control lists using Central Access Policies.
Data Classification
File Classification Infrastructure provides insight into your data by
automating classification processes.
File Classification Infrastructure uses classification rules to
automatically scan files and classify them according to the contents
of the file.
Some examples of classification rules include:
Classify any file that contains the string “SBC12 Confidential” as
having high business impact.
Classify any file that contains at least 10 social security
numbers as having personally identifiable information.
Data Classification
Classify your documents
using resource properties stored in Active
Directory.
Automatically classify
documents based on document content.
A content classification rule that searches a set of files for the string
“SBC12 Confidential”. If the string is found in a file, the Impact
resource property is set to High on the file.
A content classification rule that searches a set of files for a regular
expression that matches a social security number at least 10 times
in one file. If the pattern is found, the file is classified as having
personally identifiable information and the Personally Identifiable
Information resource property is set to High.
Data Classification
Classify your documents
using resource properties stored in Active
Directory.
Automatically classify
documents based on document content.
Manage fewer security groups by using conditional expressions
Expression-based
access conditions
Flexible access control
lists based on document classification and
multiple identities (security groups).
Centralized access
control lists using Central Access Policies.
Country x 30
Department x 20
Sensitive/Confidential documents
What is Central Access Policy?
You can think of Central Access Policies as a safety net
that your organization applies across its servers to
enhance the local access policy
User claims
User.Department = Finance User.Clearance = High
Access policy
Applies to: @File.Impact = High
Allow | Read, Write | if (@User.Department == @File.Department) AND (@Device.Managed == True)
Device claims
Device.Department = Finance Device.Managed = TrueResource properties
Resource.Department = Finance Resource.Impact = HighActive Directory
Domain Services
Expression-based access rules
Active Directory Domain Services
Characteristics
• Composed of central access rules
• Applied to file servers through Group Policy
objects
• Supplement (not replace) native file and folder
access control lists from New Technology File System (NTFS)
Central access policies
Corporate
file servers
Personally identifiable information policy Finance policy User folders Finance foldersOrganizational
policies
• High business impact • Personally identifiable information High business impact policy
Finance department
policies
• High business impact • Personally identifiable
information
Active Directory
Domain Services
Create claim definitions
Create file property definitions Create central access policy
Group Policy
Send central access policies to file serversFile Server
Apply access policy to the shared folder
Identify information
User’s computer
User tries to access informationCentral access policy workflow
Active Directory
Domain Services
User File server Allow or deny Claim definitions Audit policyOrganization-wide
authorization
Departmental
authorization
Specific data
management
Need-to-know
Limit auditing to data that meets specific
classification criteria.
Limit auditing by action and by identity
Add contextual information into the audit
events.
Expression-based Auditing
Expression-based
auditing
Targeted access auditing
based on document classification and user identity.
Centralized deployment
of audit policies using Global Audit Policies.
Security auditing
Active Directory
Domain Services
Create claim typesCreate resource propertiesGroup Policy
Create global audit policyFile Server
Select and apply resource properties to the shared folders
User’s computer
User tries to access informationActive Directory
Domain Services
User File server Allow or deny Claim definitions Audit policyAudit everyone who does not have a high security
clearance and who tries to access a document that
has a high impact on business
Audit all vendors when they try to access
documents related to projects that they are not
working on
Audit policy examples
Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High
Audit | Everyone | All-Access |
User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.
Data Encryption Challenges
How do I protect sensitive information after it leaves my
protected environment?
Process to encrypt a file based on
classification
Claim definitions, file property definitions, and access policies are established in Active Directory Domain Controller.
A user creates a file with the word “confidential” in the text and saves it. The classification engine classifies the file as high-impact according to rules configured. On the file server, a rule automatically applies RMS protection to any file classified as high-impact.
The RMS template and encryption are applied to the file on the file server and the file is encrypted.
Classification-based encryption process
1 2 3 File server RMS server Classification engine 4 User
